In this lesson we will:
- Learn about the Snowflake permission model, including users and roles, and how they are used to control access to data and objects within your databases;
- Learn about Row Level Access Control.
As with many databases, Snowflake has a Role Based Access Control Model. Permissions to read or write certain database objects are granted to roles, and roles are granted to users.
A database object could of course be a table containing data, but the same model applies to all database objects, including accounts, databases, views, stored procedures etc.
A common set of roles might look like the below:
A particular set of permissions might be:
- MANAGER has read and write permission for table SALES
- SALESPERSON has read permission to table SALES
Roles are created using SQL
create role storemanager; create role storeemployee;
We then grant permissions to the manager role.
alter role storemanager add alter role storemanager add
We can also grant permissions directly to users rather than indirectly via a role:
alter user benjamin grant role manager
The Role Based Access Control model outlined above is mainly used for controlling permissions at the database object level, such as allowing individual users the ability to read or write entire tables.
In some situations, we need more granular access to enable us to limit a subset of data to a specific user or role. For instance, maybe people with SALESPEOPLE role.
This is referred to as Row Level Access Policies. This will be described in more detail in a seperate lesson.